Re: Send response to client
Hi, Am 27.06.2011 07:55, schrieb Christ Schlacta: is it at all possible to send a message to a windows 7 or windows vista client that the client is guaranteed to see when authentication is rejected? more details: wireless WPA2-EAP-TLS There is no such guarantee. RADIUS ends at the access-point; from then on, everything must be fitted into an EAPoL exchange. I'm not aware of any supplicant that processes EAP-Notifications at the time of rejection, and also not aware that an Access Point would encapsulate a Reply-Message into such a notification. Even if there was a supplicant and AP to do that, you couldn't be sure that the end device is actually using that supplicant. Greetings, Stefan Winter on a Ubiquiti PicoStation 2 firmware 5.3.2 (I believe it includes some form of hostapd, but I'm not sure which version) Freeradius Version 2.1.9 Clients running Windows 7 or Windows Vista with no special software installed. the procedure is OS, Wired Driver, ethernet cable, Windows Update once for drivers, Wireless certificate, connect to Wifi, (Note this point) finish updates. It's at the Note this point point that I want the clients to be able to recieve a rejection response with some level of certainty. what users add to their system later is welcome to break it, if they're willing to deal with it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Send response to client
On Mon, Jun 27, 2011 at 12:55 PM, Christ Schlacta li...@aarcane.org wrote: is it at all possible to send a message to a windows 7 or windows vista client that the client is guaranteed to see when authentication is rejected? more details: wireless WPA2-EAP-TLS on a Ubiquiti PicoStation 2 firmware 5.3.2 (I believe it includes some form of hostapd, but I'm not sure which version) Freeradius Version 2.1.9 Clients running Windows 7 or Windows Vista with no special software installed. the procedure is OS, Wired Driver, ethernet cable, Windows Update once for drivers, Wireless certificate, connect to Wifi, (Note this point) finish updates. It's at the Note this point point that I want the clients to be able to recieve a rejection response with some level of certainty. what users add to their system later is welcome to break it, if they're willing to deal with it. I don't quite understand what you wrote, but one of the changelog for 2.1.11 was Allow EAP-MSCHAPv2 to send error message to client. Is that what you need? See freeradius.org for complete 2.1.11 changelog. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Send response to client
On Jun 27, 2011, at 7:55 AM, Christ Schlacta wrote: is it at all possible to send a message to a windows 7 or windows vista client that the client is guaranteed to see when authentication is rejected? Not using EAP no. There's a special EAP-Message type of EAP-Notification which is meant to contain a human interpreted message, but only a few supplicants will actually display it, and non of those are bundled Windows Supplicants. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Send response to client
It's even worse than that. Windows XP and Vista supplicants will respond to an EAP notification message (after dropping it on the ground) with the appropriate acknowledgement. The first release of WIndows 7 wouldn't even do that. So if an EAP server sent a Notification message, the state machine would grind to a halt. There was a hotfix, hopefully it was integrated into the patch stream by now. Dave. (former user of Notification messages) Quoting Arran Cudbard-Bell a.cudba...@freeradius.org: On Jun 27, 2011, at 7:55 AM, Christ Schlacta wrote: is it at all possible to send a message to a windows 7 or windows vista client that the client is guaranteed to see when authentication is rejected? Not using EAP no. There's a special EAP-Message type of EAP-Notification which is meant to contain a human interpreted message, but only a few supplicants will actually display it, and non of those are bundled Windows Supplicants. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Send response to client
ProCurve products used to encapsulate the Reply-Message in an EAP-Notification and send it after sending the EAP-Success packet. Windows and Mac clients ignored the packet (actually Macs printed the contents in one of the log files, which was kinda cool), but WPA_Supplicant took it to mean that the switch wanted to restart authentication (which is technically correct). Anyway, the side effect of this was that every 60 seconds or so, every 802.1X authenticated Linux Box on the network re-authenticated. -Arran On Jun 27, 2011, at 3:35 PM, David Mitton wrote: It's even worse than that. Windows XP and Vista supplicants will respond to an EAP notification message (after dropping it on the ground) with the appropriate acknowledgement. The first release of WIndows 7 wouldn't even do that. So if an EAP server sent a Notification message, the state machine would grind to a halt. There was a hotfix, hopefully it was integrated into the patch stream by now. Dave. (former user of Notification messages) Quoting Arran Cudbard-Bell a.cudba...@freeradius.org: On Jun 27, 2011, at 7:55 AM, Christ Schlacta wrote: is it at all possible to send a message to a windows 7 or windows vista client that the client is guaranteed to see when authentication is rejected? Not using EAP no. There's a special EAP-Message type of EAP-Notification which is meant to contain a human interpreted message, but only a few supplicants will actually display it, and non of those are bundled Windows Supplicants. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Send response to client
is it at all possible to send a message to a windows 7 or windows vista client that the client is guaranteed to see when authentication is rejected? more details: wireless WPA2-EAP-TLS on a Ubiquiti PicoStation 2 firmware 5.3.2 (I believe it includes some form of hostapd, but I'm not sure which version) Freeradius Version 2.1.9 Clients running Windows 7 or Windows Vista with no special software installed. the procedure is OS, Wired Driver, ethernet cable, Windows Update once for drivers, Wireless certificate, connect to Wifi, (Note this point) finish updates. It's at the Note this point point that I want the clients to be able to recieve a rejection response with some level of certainty. what users add to their system later is welcome to break it, if they're willing to deal with it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html